Software & System Assurance

Autonomic Software Patching

The network worm vaccine architecture is a system that is designed to automatically
patch and defend systems and networks under attack by worms or other network threats.

The ability of worms to spread at rates that effectively
preclude human­directed reaction has elevated
them to a first­class security threat to distributed
systems. We present
the first reaction mechanism that seeks to automatically
patch vulnerable software. Our system employs
a collection of sensors that detect and capture
potential worm infection
vectors. We automatically test the effects of
these vectors on appropriately­instrumented sandboxed
instances of the targeted application, trying
to identify the exploited soft­
ware weakness. Our heuristics allow us to automatically
generate patches that can protect against certain
classes of attack, and test the resistance of
the patched application against the infection
vector.

Further research on extending this architecture
to capture a wide range of known and unknown attacks
is underway. Currently, we're extending the architecture
with the ability to capture email worms by introducing
a host-based intrusion detection mechanism for
the instrumented application.

Stelios Sidiroglou, Michael E. Locasto, and
Angelos D. Keromytis. In the Proceedings of the Workshop
on Architectural Support for Security and Anti-Virus (WASSA), held
in conjunction with the 11th International Conference on
Architectural Support for Programming Languages and Operating Systems
(ASPLOS-XI). October 2004, Boston, MA.